(C)0ld Case : From Aerospace to China’s interests.
Published: 2018-11-16 · Archived: 2026-04-05 14:28:46 UTC
Via the events collected mostly from passive DNS records, I’ll highlight that threat actor(s)/ group(s) were using
since 2010 a “DNS highjacking” tactic which is here observed as replacing victim’s zone authoritative name
servers, by their controlled one, for small period of time. This could result in interception, espionage or sabotage
by these means. The victims profiles found, strongly align with China’s interests. Various areas of activity are
concerned, from Fortune 100 to cultual or religious organizations :
France: Safran, Snecma (now Safran Aircraft Engines)
Korea: Microsoft, Adobe, Honeywell, Nintendo, Logic Korea (Video game), KFTC (Financial payment
service), Minghui (Falun Gong organization), Shinchonji (Evangelists)
Australia: Australian Postal Corporation, Guangming (Falun Gong organization)
United States : Makerbot (3D Printing company).
US DOJ & Aerospace
Referring to the indictment by the U.S. Department of Justice (DOJ) of ten Chinese intelligence officers for
espionage  (2018-10-10), cf:
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 1 of 28

And according to this indictment :”Beginning in at least December 2013 and continuing until his
arrest, Xu targeted certain companies inside and outside the United States that are recognized as
leaders in the aviation field. “
NB: You can read this link too, that summarize also well these recent events.
I decided to look what I can find on a (c)old case “linked” to this indictment. My starting point was this
CrowdStrike article from February the 25th, 2014 :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 2 of 28

The events (publish and/or occurring were around the same period too..) i.e at the end of the 2013 year and
beginning of 2014 :
French Aerospace          VFW                         CrowdStrike Article
2014-01-11                        2014-02-11              2014-02-25
We know that Safran, Snecma (a Safran subsidiary) and the French aerospace industries association : the
“Groupement des industries françaises aéronautiques et spatiales” (GIFAS) were concerned.
I decided to start from what we know, and lookup into Passive DNS data, mostly.
secure[.]safran-group[.]com
First thing was that Safran let one of his RR pointing for more than two months to a malicious IP. (?!)  The
two other domains were a contrario malicious domains, crafted for, and not directly related to the victims.
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 3 of 28

(Source DNSDB)
Safran Name Server
From the CrowdStrike article :
Of particular interest was secure[.]safran-group[.]com. Safran is a France-based aerospace and
defense company with a focus on the design and production of aircraft engines and equipment. The
company owns the safran-group[.]com domain, and the fact that one of its subdomains was pointed at a
malicious IP address suggests that the adversary compromised Safran’s DNS.
The second point is bold text above : “(…)the adversary compromised Safran’s DNS.” I didn’t find something
thus that could help to understand how it was accomplished. By searching the Internet I found a UC San Diego
thesis with title : “Investigating DNS Hijacking Through High Frequency Measurements” which seems well
informed on the incidents :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 4 of 28

Snecma Name Server
What we can read in CrowdStrike article, is that a number of domains were added to the “host’s” file of victim
machines, but :
“the purpose of this component is unclear. It does not map these domains to malicious IP addresses
because the 217.108.170.0/24 range belongs to the company”
By looking at the snecma.fr Name Servers I found some weird ones at the moment : ns1.acfine.net and
ns2.acfine.net
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 5 of 28

Time first seen was the 20th of November 2013  : Did the attack occur first ? Idem from 2 days in August 2013.no
id
If we look at the domains now that were using these Name Servers, we see interesting points :
What is interesting here with these domains/sites is the mix of targets profiles and China’s Interests  :
snecma.fr was previously indicated and was China’s interest without any doubt at that time. We have
covered briefly this above.
guangming.org seems to be a “Falun Gong” information website, this is of the utter interest in China’s
policy. We can see multiple references to this “organization”, and China see it as a cult (see this official
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 6 of 28

Chinese governmental link e.g). NB: The website may be related to their practice in Australia.
auspost.com.au
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 7 of 28

This is the website of Australian Postal Corporation. Maybe linked to the previous Falun Gong possible
supposed targets ?
makerbot.com is a 3D Printing company, based in New York.
Could this be another objective from attackers, or another group inside a team ? APT could be composed of
several groups/teams, with different goals, and sometime using the same architecture or sharing the same TTPs.
Some open line of investigation on this… but I found on the website that a Lockheed Martin’s Senior Research
Engineer was using their product since 2014 : It could be interesting for attackers to target this company to
correlate different data.
ex: Lockhed Martin Blueprints + robotic mechanisms & Engineering
As correlating two different databases could reveal useful information,
ex: Office of Personnel Management (OPM) wich handle SF-86 form to obtain a security clearance + Anthem
(Health Insurance) permitted to find the CIA agents by doing a diff between the data…
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 8 of 28

Linkedin profile :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 9 of 28

Airbus & Microsoft Korea
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 10 of 28

Sample (0237f92714f28d755025fa6ba0f4759c7797edd73c4ccbd544495941ae0e0bcd) contacting the Microsoft
domain :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 11 of 28

NB: The compilation timestamp 2012-11-21 07:17:31 from the above sample is consistent with the DNSDB
timestamps too, see below : 2012-11-11 to 2012-11-22
Here are the contacted URLs : (Source VT)
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 12 of 28

A victim contacted a Microsoft domain ? A legit one ? I did a little research and yes microsoft.co.kr redirect now
to microsoft.com/korea for its corporate’s website.
I did a search on Farsight DNSDB passive DNS records and looked at all records for this domain :
microsoft.co.kr .
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 13 of 28

Same as previously, for a few time period in 2010 : 1 day, and more than 11 days in 2012, Microsoft Korean Name
Servers were directed to what I immediately found suspect, resp. ns21.dollar2host.com / ns22.dollar2host.com
and ns0.nscomdomain.com / ns1.nscomdomain.com.
NB: ns2.msft.net (an ns3, and 4..) were not suspect because legit Microsoft domain, but NOT the others…
Microsoft in Korea was pwned 2 times, in 2010 and 2012 and as far as I know I didn’t see these information
well documented.
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 14 of 28

What could possibly go wrong ?
Same tactic ? DNS highjacking, Let’s see…
ns21.dollar2host.com / ns22.dollar2host.com (NS)
What domains were using these Name Servers ? First of all there are a LOT of domains.. crappy or legitimate
ones. While trying to look around the time of usage for my microsoft.co.kr domain, I found several others
corporate domains :
microsoftstore.co.kr
adobe.co.kr
nintendo.co.kr
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 15 of 28

Ex for Nintendo today’s website for nintendo.co.kr domain :
I discovered while sweeping through the pages and pages (…) of domains other financial & banking domains but
I suppose they answer to another objective because the time they were using the NS is longer : Few months and
not hours/minutes and didn’t check if domains were legit at the time of if they were mimicking their target’s name.
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 16 of 28

NB: chryslerfinancialinfoservice.com from 2010-08-23 to 2010-11-28 not represented above.
This could be what I call a batch process used by threat actor, look at the exact same timing. In these groups, they
need to “stick to the rules” to protect (Compartmentalization) the information for security, and their registration
process may reveal batch operations.
2018-11-24 Update : Continuing on ns21. I saw that microsoft.kr was usign briefly this NS in 2010 too :
I found also ns1.dqtec.com (and ns2.dqtec.com) who where using too this NS in 2010, e.g with ns1.dqtec.com
below:
What was the IP resolution of these records ?
ns1.dqtec.com  ==> 67.212.186.170
ns2.dqtec.com ==> 67.212.186.171
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 17 of 28

cf:
and :
Now What?
Ecuador
If these IPs used for bad things at the moment (no idea..), some other records may have been pointed to.. Again
pivoting :
Source: DNSDB
I have no idea if these records were legit at this time. First thing first, referring to Wikipedia, .gob.ec was replaced
by .gov.ec :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 18 of 28

For the domains :
hanm.gob.ec was “el Hospital Provincial Alfredo Noboa Montenegro”.
cnecarchi.gob.ec was la “Delegación Electoral del Carchi”, depending from Ecuador National Electoral
Council for “la delgacion de” (translate to approx. “district of”…)  Carchi, website at the moment (2012-
05-25) :
Nowadays the website :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 19 of 28

sevfae.mil.ec : We can interpret the function as globally : Ecuador’s Air Force virtual education system. It’s
a Military website and domain.
At the moment website was :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 20 of 28

Nowadays :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 21 of 28

AGA is “Academia de Guerra Aérea FAE” which translate to Ecuador’s Air Force war academy. This is also
“similar” with the last domain below :
academiadeguerraaerea.mil.ec 
Illustration nowadays (not same domain..) :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 22 of 28

ns0.nscomdomain.com / ns1.nscomdomain.com (NS)
Same process. What domains were using these Name Servers ?
Here when I search for ns0, there’s less domains, in fact, only 6, including our microsoft.co.kr. All information
was from 2012 :
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 23 of 28

Examining these domains I was really surprised to find that minghui.or.kr was linked to “Faloun Gong” too !
Do you remember at the beginning of this blog post “guangming.org” ? That could reveal the same kind of
interest by this/these actor(s).
shinchonji.kr is another religious/cult (Evangelists as far as I understand) organization that may represent
an interest too for China’s monitoring policy.
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 24 of 28

logickorea.co.kr A Korean Company, in the Video Games business.  I immediately think about the APT
that targeted Video games industry (Winnti) . As Kaspersky noted noted in its report “Winnti. More than
just a game”, South Korean video games vendors were targeted :
Interestingly, the digital signature belonged to another video game vendor – a private company known
as KOG, based in South Korea.
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 25 of 28

kftc.or.kr is a Korean financial payment service company with a lot of service today : Cash Dispenser
(CD) Network,  Interbank Fund Transfer(IFT), HOFINET, and The Korea Cash (K-CASH) Network
connects KFTC, all banks in Korea and a system service provider (SP) for payment settlements using an
electronic currency. The K-CASH would be a target for any Intelligence service on earth, including the
Ministry of State Security (MSS / Guoanbu). Do you remember the NSA compromised the SWIFT
Network revealed in 2017 ?
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 26 of 28

honeywell.co.kr
I know that one 🙂 Honeywell, not because I’m a ICS/SCADA guy but because Shodan ! 😉 Anyway, this
Honeywell Korean website was in the list too… NB: honeywell.co.kr website redirect to
http://www.honeywell.com/worldwide/ko-kr
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 27 of 28

Conclusion
Starting from public indicators and passive DNS data, and by looking at the domains, their zone authoritative
name servers, and the other domains using the latters (pivoting) we discovered victims.
The volume and diversity of domains names suggest that it is likely that multiple threat actors were involved.
This is also likely that China’s interests are in line with these operations, especially because of the
cultual/religious aspect, which was of utter interest from China at the time of these events. NB: The same kind of
interest is e.g from NetTraveler which specifically targets Tibetan/Uyghur activists.
Actors could use a service like a “DNS highjacking” tactic broker (as Elderwood project was in comparison an
APT 0-day-broker), or they are likely to used a shared process for this tactic.
By understanding actor’s tradecraft, we also shine some light on China’s policy, supposed Intelligence services
(MSS/Guoanbu), and business needs since 2010 from APT actors (sometime named Turbine Panda / BlackVine &
Winnti) where one of the central and common capacity is the Sakula malware.
Source: https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
Page 28 of 28

 https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/     
kftc.or.kr is a Korean financial payment service company with a lot of service today : Cash Dispenser
(CD) Network, Interbank Fund Transfer(IFT), HOFINET, and The Korea Cash (K-CASH) Network
connects KFTC, all banks in Korea and a system service provider (SP) for payment settlements using an
electronic currency. The K-CASH would be a target for any Intelligence service on earth, including the
Ministry of State Security (MSS / Guoanbu). Do you remember the NSA compromised the SWIFT
Network revealed in 2017 ?    
   Page 26 of 28